Again we are presented with the daunting task of either auditing our own online security, or ignoring it and risking exposure. The latest cause of the scare comes from the hacked Apple accounts of numerous celebrities, which resulted in their private, nude photos being posted online. In what can only be described as a horrible breach of privacy, the finger pointing game has started, with Apple taking a strong defense.
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
That’s the statement put out by Apple yesterday in response to this attack. I’m sure that before it was published, it got about as many eyes as the leaked photos, except for these were the eyes of lawyers. It’s pretty much a blanket denial and one that needs to be addressed.
Before I get into the popular online theory of what happened, I want to address Apple’s statement. We all know that weak passwords are a problem, yet we use them anyway. Why? Because everything requires a login, and remembering a long, random line of characters for each site can be a pain in the butt, to put it mildly. Sure, there are password storage services, but what happens if they get hacked? Then you get everything.
Let’s face it; until some new technology comes out for better ways of protecting things, we are stuck with passwords, and stuck with people having weak passwords.
Then there’s the issue of “security challenges”. These are those common questions you have to answer in order to have your password reset. In about 99% of the cases, they are very common, personal questions like “What is your mother’s maiden name”, or “Name of the city you were born in”. In a world of non-stop media and paparazzi, keeping this information private is about impossible for high profile people. In a lot of cases, a quick trip to Wikipedia or IMDB can quickly give you the information.
But who decides the questions? Well, that would be the provider, or Apple in this case. All the companies have pretty much come up with a standard set of 5-10 questions, of which you select 1, 2 or 3 of and provide the answers. The entire “security challenge” idea here is rather useless, and it’s time for the tech giants to realize that.
Next we get to the issue of hackers guessing the passwords. That is a common hacking vector, known as “brute force”. Essentially you have a dictionary file that is used to generate passwords, changing the casing, word combinations and anything else you can think of. They are called “brute force”, because that is exactly how they function – forcing their way into finding your password in a brutish fashion.
The brute force idea is one circulated in the online tech world shortly after the images first appeared, and so happens to be the one that I agree with. In my years of work in the online tech world, we see brute force attacks constantly. A real common one is brute force attacks on the “root”, or super user account, for servers. I’m in the process of setting up numerous new servers for clients, using IP addresses that haven’t been used in a couple of years. Within minutes of them going on line, suddenly there are tons of brute force attacks, trying to guess the root password, as well as guessing other accounts.
So how do I combat these things? Well, I use an open source software called Fail2Ban. What Fail2Ban does is checks each failed login on various services running on a server. If they fail to login after X times, then that IP address gets blocked from accessing the server in the Firewall. I also combine this with some other tricks, meant to help prevent DDOS attacks, and it has performed superbly for years.
The idea behind Fail2Ban is nothing new, and neither is the program itself. It first surfaced in 2004 and has become an essential tool inside the toolbox of anyone in the IT world. The same philosophy has also been applied to countless web services over the years. VBulletin, a popular forum software, has done something similar for as long as I can remember. If you try to login with the wrong password so many times, then your account is locked and an email is dispatched to you, with a link to unlock your account.
When the theory that this is how the hackers gained access to the celebrities accounts, a proof of concept source code was posted on line, showing that you can continually do repeated password attempts to an account on iCloud and iCloud doesn’t block it. Within a few hours, iCloud did start blocking those, showing that someone was paying attention, but that is still too late.
Any project I do, rather custom coding or setting up a server, I perform tons of security tests to make sure it is secure. That’s just me, a simple one man development shop, so thinking that a tech giant like Apple, with their record profits, can’t do the same is utterly mind-boggling. Does Apple take security so lightly that they just don’t care about this stuff, or are they trying to save a few bucks and instead quickly put the blame on the users for any breaches? My guess, and it is only a guess, would be that both of these are the case.
But Apple has an image to protect. With the release of their latest iPhone less than a week away, Apple doesn’t need the bad PR that their services failed to meet the basic needs of security, so they are now in serious damage control. If Apple does one thing right, it is PR and legal backing. That’s why we don’t see Apple execs forced to Capitol Hill when things like this happen. They give themselves cover through obscurity. Hiding things in multi-page service agreements, that no one bothers to read, let alone comprehend is their biggest protection.
So let’s go back to the original statement by Apple. They are saying this was a “targeted” attack using common, publicly known information about these celebrities. Fine, let’s say that is the case. Either these hackers are amazing at guessing, getting the right information in before a lockout, or there was simply no lockout. I would have to say the latter is the case here. Simply put, Apple did fail their customers. They did so by not having protection mechanisms in place against this very common attack. Their excuse is not fooling me, or anyone else with any kind of tech background. It’s actually an insult to us, as well as their users.
Instead of playing the finger pointing game, Apple should put their big boy pants on and admit that they screwed up. If they don’t want to, then Congress should hold hearings into this to find out exactly what happened, and look at possible legislation that can protect the end users when a tech company fails so miserably. Until that happens, I’m strongly recommending people stay away from Apple products, because it’s obvious they really don’t care about security, and that is something that shouldn’t be rewarded by sales.